Bug 2038166
Summary: | Starting from Go 1.17 invalid certificates will render a cluster non-functional | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Pierre Prinetti <pprinett> |
Component: | Cloud Compute | Assignee: | Pierre Prinetti <pprinett> |
Cloud Compute sub component: | OpenStack Provider | QA Contact: | Itzik Brown <itbrown> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | urgent | ||
Priority: | urgent | CC: | aos-bugs, itbrown, juriarte, m.andre, mbridges, mfedosin, pprinett |
Version: | 4.10 | Keywords: | Triaged |
Target Milestone: | --- | ||
Target Release: | 4.10.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
Cause: HTTPS certificates only using the CommonName field are rejected in Go v1.17, and therefore in OpenShift 4.10.
Consequence: When installing or upgrading a cluster to v4.10 on an OpenStack infrastructure which exposes endpoints with invalid certificates, the cluster will not be able to perform operations on OpenStack and possibly cease to function.
Workaround (if any): Check and replace invalid HTTPS certificates. The documentation provides a script to check each certificate in the OpenStack catalog. To avoid disruption, replace the invalid certificates BEFORE installing or upgrading to OpenShift v4.10.
Result: Once the invalid certificates are replaced by adding server names or IPs in the Subject Alternative Names fields, the operators should become functional again. Restarts might be necessary.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-03-10 16:37:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pierre Prinetti
2022-01-07 13:53:25 UTC
I have marked this bug as Urgent because a decision WRT priority should be made urgently, but it should be mentioned that this decision could very well be WONTFIX. The team is currently considering three options: 1. moving forward with 1.23 rebases and accept the risk of breaking clusters given the release notes since 4.6 have said that certs must properly set SANs though we ended up not enforcing that until now 2. rush validation into 4.10 and backport to 4.9 3. write an external tool that validates OpenStack certificates and warns the user in case of "invalid certificates" Removing the Triaged keyword because: * the priority assessment is missing The proposed patch documents the issue and provides a Bash script to validate the OpenStack infrastructure. Ran the script against a cluster without Subject Alternative Name and all the endpoints marked as failed. OSP RHOS-16.1-RHEL-8-20211126.n.1 Downstream docs change is merged. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |